diff --git a/internal/rbd/rbd_util.go b/internal/rbd/rbd_util.go
index 142e9a3c8..9e6004cf2 100644
--- a/internal/rbd/rbd_util.go
+++ b/internal/rbd/rbd_util.go
@@ -169,6 +169,9 @@ func (rv *rbdVolume) Destroy() {
 	if rv.conn != nil {
 		rv.conn.Destroy()
 	}
+	if rv.KMS != nil {
+		rv.KMS.Destroy()
+	}
 }
 
 // String returns the image-spec (pool/{namespace/}image) format of the image.
diff --git a/internal/util/crypto.go b/internal/util/crypto.go
index 04057ac74..269ad3fbd 100644
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@@ -51,6 +51,7 @@ const (
 // EncryptionKMS provides external Key Management System for encryption
 // passphrases storage.
 type EncryptionKMS interface {
+	Destroy()
 	GetPassphrase(key string) (string, error)
 	SavePassphrase(key, value string) error
 	DeletePassphrase(key string) error
@@ -75,6 +76,11 @@ func initSecretsKMS(secrets map[string]string) (EncryptionKMS, error) {
 	return SecretsKMS{passphrase: passphraseValue}, nil
 }
 
+// Destroy frees all used resources.
+func (kms SecretsKMS) Destroy() {
+	// nothing to do
+}
+
 // GetPassphrase returns passphrase from Kubernetes secrets.
 func (kms SecretsKMS) GetPassphrase(key string) (string, error) {
 	return kms.passphrase, nil
diff --git a/internal/util/vault.go b/internal/util/vault.go
index a9b91e9fe..d585510f7 100644
--- a/internal/util/vault.go
+++ b/internal/util/vault.go
@@ -167,7 +167,6 @@ func (vc *vaultConnection) initConnection(kmsID string, config map[string]interf
 		if err != nil {
 			return fmt.Errorf("failed to create temporary file for Vault CA: %w", err)
 		}
-		// TODO: delete f.Name() when vaultConnection is destroyed
 	}
 
 	// update the existing config only if no config is available yet
@@ -201,6 +200,18 @@ func (vc *vaultConnection) connectVault() error {
 	return nil
 }
 
+// Destroy frees allocated resources. For a vaultConnection that means removing
+// the created temporary files.
+func (vc *vaultConnection) Destroy() {
+	if vc.vaultConfig != nil {
+		tmpFile, ok := vc.vaultConfig[api.EnvVaultCACert]
+		if ok {
+			// ignore error on failure to remove tmpfile (gosec complains)
+			_ = os.Remove(tmpFile.(string))
+		}
+	}
+}
+
 // InitVaultKMS returns an interface to HashiCorp Vault KMS.
 func InitVaultKMS(kmsID string, config map[string]interface{}, secrets map[string]string) (EncryptionKMS, error) {
 	kms := &VaultKMS{}